chore: Synced file(s) with honestbank/.github

honestbank · Sep 12, 2022 · 861d605 · 861d605
1 parent 2876c5b
commit 861d605
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 28 deletions.
diff --git a/.checkov.yaml b/.checkov.yaml
@@ -1,11 +1,13 @@
 compact: true
 directory:
-  - modules
+- .
 download-external-modules: true
 evaluate-variables: true
 external-modules-download-path: .external_modules
 framework:
 - all
 quiet: true
 skip-path:
-  - test
+  - .external_modules
+  - modules
+  - catalog-info.yml
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,8 +1,11 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # This is a comment.
 # Each line is a file pattern followed by one or more owners.
 
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @honestbank/devops-engineers @jai
+*       @honestbank/devops-engineers
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -16,3 +16,18 @@ jobs:
         name: Semantic Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: feat - verify design doc link
+        run: |
+          if [[ "${{ github.event.pull_request.title }}" == "feat:"* ]]; then
+            echo "Pull request title starts with feat:";
+            regex='design doc: \[.+?\]\(https://www.notion.so/honestbank/.+?\)'
+            if [[ "${{ github.event.pull_request.body }}" =~ $regex ]]; then
+              echo "Pull request body contains link to a design doc 🚀";
+            else
+              echo "Pull request does not contain a design document link - please attach the relevant design doc! Refer to https://www.notion.so/honestbank/Engineering-Design-Documents-9681402a62514306876458686bfd4157";
+              exit 1;
+            fi;
+          else
+            echo "Pull request is not a feature, skipping design doc check";
+          fi
diff --git a/.github/workflows/shiftleft-terraform.yaml b/.github/workflows/shiftleft-terraform.yaml
@@ -11,16 +11,16 @@ jobs:
   shiftleft-terraform:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
-      - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
-      - name: Download ShiftLeft CLI
-        run: |
-          curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
-      - name: Extract branch name
-        shell: bash
-        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-        id: extract_branch
-      - name: NextGen Static Analysis
-        run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd)
-        env:
-          SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+    - uses: actions/checkout@v2
+    - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd)
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,23 +1,26 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+
 repos:
-  -   repo: https://github.com/pre-commit/pre-commit-hooks
-      rev: v4.3.0 # Get the latest version from: https://github.com/pre-commit/pre-commit-hooks/releases
-      hooks:
-        -   id: trailing-whitespace
-        -   id: end-of-file-fixer
-        -   id: check-yaml
-        -   id: check-added-large-files
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.74.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
-      # The terraform_validate hook will error out - see:
-      # https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
-      # Running `terraform validate` inside the component module folder also will not pass.
       - id: terraform_validate
       - id: terraform_tfsec
-        exclude: test/
+        exclude: "test/"
       - id: terraform_checkov
-        exclude: test/
+        exclude: "test/"